Notes:
I haven’t formated this script in the typical fashion I normally do.

Must be run on a DC with Domain Rights.

# Get today's date
$date = get-date
# Set variable LLTSlimit to today's date minus 90 days
$LLTSlimit = (Get-Date).AddDays(-90).ToFileTimeUTC().ToString()
# Set variable LDAPfilter as a LDAP filter to only find ACTIVE user accounts (useraccountcontrol piece) that have a lastlogontimestamp of older than 90 days
$LDAPFilter = "(&(objectCategory=Computer)(objectClass=User)(lastlogontimestamp<=$LLTSlimit)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
#output LDAPfilter to txt file for loop
dsquery * domainroot -filter $LDAPFilter -limit 0 > D:\scripts\test.txt
#Loop through the computers that need to be disabled one at a time
FOREACH ($f in get-content D:\scripts\test.txt)
{
#disable computer and append to the old description the note about disabling account
dsmod computer $f -disabled yes -desc "$processolddesc - Disabled due to inactivity on $date"
}
exit

Synopsis
I wrote this little script to address a issue where another admin/help desk/etc created a bunch of exchange contacts for external users and then later we ended up creating some AD accounts for some of those users so they could access some Linux/Unix systems we host. However we ran into a issue where those users had no way to be notified of password’s expire. So to address that I wrote this script Powershell Script to Notify Users of Expired or About to Expire Passwords in Active Directory which worked fine but then I found I couldn’t email some users because I didn’t have a email address for them. I did however have an exchange contact for some of them. So I wrote the follow script to copy their emails from the exchange contact into the AD Email attribute.

Explanation:
This Script will set the Email address field found in Active Directory Users and Computers for a User/Object that has a email account in Exchange to the same value as that set in Exchange as that of the User/Object’s primary SMTP email address.

This will fix the issues where the users doesn’t show up in the global address book.

Finally after running the script you must update the OAB in exchange and all clients must update their local address books by running send and receive.

So where I work we use AD for single sign on (sso) for many of our systems both Windows and Nix. Some of our users only access the Nix systems and are not actually on our domain. They have no way of knowing when their passwords are about to expire and when their passwords do expire they just can’t log in without any visible reason why. In order to address that I started looking around the net for a powershell script and found one over at Dan Penning Blog but it didn’t address all of my needs. So using Dan’s script as the basis for a new script I came up with the following.

Synopsis of Goal:
Email the User when their password is about to expire or has expired and Supply a URL Link to reset their password.
Notify the Admin of certain conditions

Users Have Expired Passwords And No Primary SMTP Address to notify them

Users Password’s is About To Expire That Have No Primary SMTP Address

Users With Expired Passwords – Purely to report on it

Users Password’s About To Expire

Users with no Expiration Date

And Supply the Admin with the Location of the User account in question in the report.

Other Notes:
Included Options in the script without major rewrite

Adjust timing to being alerting (default is at 10 days start sending alerts to the user.)

Admin report is optional

Admin report can be sorted by Password Expiration, First, or Last Name.